According to the report, the threat actors used to spread PREDATOR through another piece of mobile malware called ALIEN, which was a precursor for deploying PREDATOR spyware onto compromised devices. It received commands from PREDATOR over IPC (inter-process communication), which included recording audio, hiding adding CA certificates, and hiding apps to escape detection. The TAG team said that the PREDATOR malware was developed by a commercial surveillance company, Cytrox in North Macedonia, which exploited five zero-day vulnerabilities, four in Chrome and one in Android, to target Android users. The five distinct zero-day vulnerabilities exploited by the attackers were:
CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome CVE-2021-1048 in Android
“The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem,” said TAG researchers Clement Lecigne and Christian Resell. According to the TAG team, Cytrox sold the spyware to different government-backed actors who used them in at least three campaigns that started between August and October 2021. The exploits were used by government-backed actors in Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain, and Indonesia. The three campaigns that used the five previously unknown zero-day Chrome and Android vulnerabilities are:
Campaign #1 – redirecting to SBrowser from Chrome (CVE-2021-38000) Campaign #2 – Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976) Campaign #3 – Full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)
All three campaigns delivered one-time links mimicking URL shortener services to the targeted Android users via email. Once clicked, it redirected the victim to an attacker-owned domain that installed the Android virus called ALIEN. It then proceeded to load its main payload, ‘PREDATOR’ onto the victim’s device, before redirecting the browser to a legitimate website. In case, the shortened link did not work, the victim was directly taken to the legit website. This method has already been used against journalists, political activists, officials, etc. Although the vulnerabilities used during the campaigns were patched by Google in 2021, they have not yet been fully deployed in the Android ecosystem. According to the TAG team, the campaign is not still over and more attacks are expected. Apparently, there are more than 30 vendors with varying levels of sophistication and public exposure that are selling exploits or surveillance capabilities to government-backed actors. In order to stay protected against such threats, it is advisable to regularly install software updates on your Android smartphone. Avoid opening emails from unfamiliar sources, delete them immediately to prevent yourself from accidentally opening the message in the future, do not download any attachments accompanying the message, and never click links that appear in the message.